s4n7h0 / xvwa Goto Github PK

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.

License: GNU General Public License v3.0

HTML 6.07% PHP 91.83% CSS 0.43% Hack 1.67%

xvwa php application-security learning-appsec vulnerability knowledge mysql

xvwa's Introduction

Xtreme Vulnerable Web Application (XVWA)

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose. How you use these skills and knowledge base is not our responsibility.

XVWA is designed to understand following security issues.

SQL Injection – Error Based
SQL Injection – Blind
OS Command Injection
XPATH Injection
Formula Injection
PHP Object Injection
Unrestricted File Upload
Reflected Cross Site Scripting
Stored Cross Site Scripting
DOM Based Cross Site Scripting
Server Side Request Forgery (Cross Site Port Attacks)
File Inclusion
Session Issues
Insecure Direct Object Reference
Missing Functional Level Access Control
Cross Site Request Forgery (CSRF)
Cryptography
Unvalidated Redirect & Forwards
Server Side Template Injection

Good Luck and Happy Hacking!

Disclaimer

Do not host this application on live or production environment. XVWA is totally vulnerable application and giving online/live access of this application could lead to complete compromise of your system. We are not responsible for any such bad incidents. Stay safe !

Copyright

This work is licensed under GNU GENERAL PUBLIC LICENSE Version 3 To view a copy of this license, visit http://www.gnu.org/licenses/gpl-3.0.txt

Instructions

XVWA is hassle-free to setup. You can set this up on windows, linux or Mac. Following are the basic steps you should be doing on your Apache-PHP-MYSQL environment to get this working. Let that be WAMP, XAMP or anything you prefer to use.

Manual Installation Method

Copy the xvwa folder in your web directory. Make sure the directory name remains xvwa itself. Make necessary changes in xvwa/config.php for database connection. Example below:

$XVWA_WEBROOT = '';  
$host = "localhost"; 
$dbname = 'xvwa';  
$user = 'root'; 
$pass = 'root';

Please note that mysql version 5.7 and above requires sudoer to access root user. This means apache user will not be able to use 'root' username to access the database. In such cases, a new username would need to be created and config.php file would also need to be changed accordingly.

Make following changes in PHP configuration file

file_uploads = on 
allow_url_fopen = on 
allow_url_include = on

XVWA will be accessible at http://localhost/xvwa/

Setup or reset the database and table here http://localhost/xvwa/setup/

The login details

admin:admin
xvwa:xvwa
user:vulnerable

Automatic Installation Script

I have written a small script to easily automates XVWA Setup in linux distributions. Run this with root to install the dependencies if not found in your linux environment

https://github.com/s4n7h0/Script-Bucket/blob/master/Bash/xvwa-setup.sh

Alternative Setup Environments

Docker

I have also seen a multiple dockers published to setup XVWA. Our thanks to all of them. Any docker lovers can also checkout below work. https://github.com/tuxotron/xvwa_lamp_container

Live ISO

@knoself made XVWA live ISO on minimal Ubuntu server 14.04.x (issue27) https://mega.nz/#!4bJ2XRLT!zOa_IZaBz-doqVZz77Rs1tbhXuR8EVBLOHktBGp11Q8

User = xvwa
Pass = toor

About

XVWA is intentionally designed with many security flaws and enough technical ground to upskill application security knowledge. This whole idea is to evangelize web application security issues. Do let us know your suggestions for improvement or any more vulnerability you would like to see in XVWA future releases.

Authors:

@s4n7h0 https://twitter.com/s4n7h0
@samanL33T https://twitter.com/samanl33t

xvwa's People

Contributors

Stargazers

Watchers

Forkers

hacksparrow myersg86 johnjohnsp1 mausvargas 0xbadca7 kwac stevesbrain traceur df-5 conbon stefkiourk baiyunping333 theotherside therebelbeta guardianrg espreto nasimnabavi noscripter lu-chi yanc0 avambro semicolonexpected xmillies sha8e mikebarkas ababak1990 retord securityigi skunkface minxianli falcondev91 cvexva marciojrtorres isserene hkingz xblackswan znanl gamehacker haknmcaobin roewe vleboy srinathweb shrz doctor-love kingsofleone liuxuecheng nekulin wellic ftwbzhao securitybear miguelcifp vidmed akopitsa vehsamrak jothatron trosane mdb-webdev maidmaid brother-simon 95270 yaoyi2008 0day29 janek109 team-firebugs michaellcader 3unnym00n exploitprotocol phillipnordwall baiyinnamula dit81 annibuliful sanjogpandasp gowth4m hawk0p dylangywu om3rcitak blckphox smallmeet noobzero kbahaxor linglongscru tnktecnologia flowryan1 krio-rogue javarockstar tardummy01 olivierh59500 bertram888 williamhanugra lubyanov ozelfatih lzskyline bryant1410 shekkbuilder z0x010 doduytrung william0713 abby6595 sast-tester kashifrehmanarain

xvwa's Issues

Installing

OK... I'm stuck... I'm installing on top of XAMPP.

This is my config file

When I visit localhost I get this:

I get errors in the source

Any ideas?

i supposed that u should write a poc for every subject

there should be some details

More command injection scenarios.

Hey @s4n7h0, it would be interesting if there were more command injection scenarios (i.e blind command injections, HTTP Headers command injections, code injections etc).

Only Blank Page Showing

Hi everyone,

I am currently facing the same issue as others have stated here: I only see a blank page with the black header after I setup XVWA and try to reach the website. My system is a custom-built linux using yocto, including apache, php, mysql and proftpd. Sadly I am not able to run the setup script since the commands won't work. I followed the steps the script is doing manually.

The my.cnf has the following lines:

[client]
#password                                       = password
...
[mysqld]
user                                            = root
...

The XVWA config is:

<?php
$XVWA_WEBROOT = "";
$host = "localhost";
$dbname = 'xvwa';
$user = "root";
$pass = "";
$conn = new mysqli($host,$user,$pass,$dbname);
$conn1 = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
$conn1->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
?>

I have created a database named xvwa and SQL Server is running:

/etc/init.d/mysqld status
 SUCCESS! MySQL running (1335)

Do you have any suggestion what to try to get it running? Any help is appreciated!

Code needs to be updated for PHP 7.2.4!!

Code needs to be updated for PHP 7.2.4!!
It throw out errors in all attack pages.

Examples / Screenshots:

SQLI: https://i.imgur.com/JMmX6DG.png
SQLI (Blind): https://i.imgur.com/AhjJw4X.png
OS Command Injection: https://i.imgur.com/5Etu6I1.png
XPATH Injection: https://i.imgur.com/nNMrEBJ.png
Formula Injection: https://i.imgur.com/XNjNWj1.png
Unrestricted File Upload: https://i.imgur.com/8EvGm9y.png
XSS - Reflected: https://i.imgur.com/XesCddI.png
SSRF / XSPA: https://i.imgur.com/vVqNrRu.png
File Inclusion: https://i.imgur.com/5t8m0Pc.png
Session Flaws: https://i.imgur.com/LA91x6w.png

I think it's enough to see that XVWA i broken ATM.
Please fix it as fast as you can!

blank screen

Hi Team ,

first thank you for the effort on running such deliberate vulnerable app

i am trying to install the application on virtualbox running ubuntu , LAMP stack installed , phpmyadmin also installed .. database created

however every time i try to access the page all i get blank screen

http://192.168.56.103/xvwa/setup/

drwxrwxrwx 9 root root 4096 May 28 17:48 xvwa

setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); ?>

file_uploads = On
allow_url_fopen = on
allow_url_include = on

can anyone suggest what went wrong , thank you

login redirection

Hi .. facing issue

whenever i login and enter admin admin , i get redirected to http://localhost/var/www/html/xvwa/login.php ??

The requested URL /var/www/html/xvwa/login.php was not found on this server.

Apache/2.4.18 (Ubuntu) Server at 192.168.56.102 Port 80

pwd : /var/www/html/xvwa/
ls : login.php exist

Thank you

Blank page

i'm success in installation process but when i try to open localhost/xvwa, it only show blank page. Is there any dependency of bootstrap maybe?

Getting some Errors when try to setup.

System: Windows 10 Professional
Webserver: XAMPP (Apache, MySQL, PHP)

Screenshot: https://i.imgur.com/HoUFh6F.png

config.php is correct. (User: "root", Password: "")

php "includes" wrongly linked

Many php files seems to be wrongly linked including the login.php . idk if this happens just in my case but I tried manually changing 'include' paths on files like e.g. header.php, setup/home.php. Since header.php has bad 'include' links, the rest of the document never loads completely, showing up an almost blank page.
Obviously, correcting the bad links solved the part of the issue, but there are many of them that I think it's kind of annoying for the end user to manually find and edit wrong coding.
My os: Ubuntu - yakkety

Have u tested the "Unrestricted File Upload "?

i have seen the code of the "Unrestricted File Upload ",but i can't upload a image
i have a test of dvwa ,that's ok
pls help me ,and give me the answer,thank u!

Igot Blank Page After end all config and database is conected has no error and igot blank page Can Some help for that im use auto script

blank page

hi, i'm confused after the installation xvwa on my machine i found blank page, i'm already follow up the instruction step by step with correctly, but same...
can u hel me please?

Code needs to be updated to run with PHP 7.0.x

mysql_connect, mysql_fetch_array(), mysql_select_db() and other MySQL PHP functions are used which doesn't work with updated version of PHP. I had to replace it with mysqli_connect and similarly for others.
Also this error is common with new version of PHP
PHP Notice: Undefined variable: input in C:\xvwa\vulnerabilities\xpath\home.php on line 35

Code needs to be updated to run with PHP 7.0.x

Eg : PHP Fatal error: Uncaught Error: Call to undefined function mysql_select_db()

something wrong

unbutu14.04 mysql apache2 php5.5.9
and it can't work correctly
only see xvwa on the top of left

okey
php5-mysql need install

Can't log in.

After successfuly visiting locally xvwa, I tried to login so I can setup the database and start using it.
Yet though, clicking login (after entering the details, tried with all of them: admin, xvwa, and user),
all I get is a blank (white) page with url: http://localhost/xvwa/login.php.

Is it a local problem? (Note that I am using UniServer Zero XI 11.8.1)

ISO

Hey, I built a bootable live iso of xvwa, I know you have mentioned this before but I dont see one on here so I thought if you'd like to contact me to take a look you may wanna take a look. its built on a minimal ubuntu server 14.04.x and easy to throw in a vm and just run and then navigate to 192.x.x.x./wvwa or whatever and good to go !

config.php Error

When the config.php file is:

I got this Fatal error when I open the localhost/xvwa

when I remove dbname and let it dbname = ''
I got error when i reset/setup the database

Warning \xvwa-master\header.php on line 18

I install xvwa on a local network under Windows 10 when I runhttp://localhost:8080/xvwa-master/setup/ I have the following error message

Warning: include(G:\serveur\root\xvwa-master../xvwa/config.php): failed to open stream: No such file or directory in G:\serveur\root\xvwa-master\header.php on line 18

Warning: include(): Failed opening 'G:\serveur\root\xvwa-master../xvwa/config.php' for inclusion (include_path='.;C:\php\pear') in G:\serveur\root\xvwa-master\header.php on line 18

I got a blank page when i enter localhost/xvwa

I've used the auto setup "xvwa-setup.sh" and it runs successfully when I enter localhost/xvwa an empty page appears with a black bar at the top while the xvwa word appears at the left inside the bar, while mysql and apache is running not stopped

Tengo un problema con la ISO de xvwa

He bajado la ISO, pero tengo muchos problemas.
Vulnerabilidades como las de el ssrf no funcionan.
Espero puedan corregir eso.